b'                       OFFICE OF\n                THE INSPECTOR GENERAL\n\n                    U.S. NUCLEAR\n               REGULATORY COMMISSION\n\n\n\n                  Audit of the Licensing Support Network\n\n                      OIG\xe2\x80\x9304-A-16 August 12, 2004\n\n\n\n\n                        AUDIT REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                               NRC\xe2\x80\x99s website at:\n             http://www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                              August 12, 2004\n\n\n\n\nMEMORANDUM TO:                 G. Paul Bollwerk, III\n                               Chief Administrative Judge\n\n                               Luis A. Reyes\n                               Executive Director for Operations\n\n\n\nFROM:                          Stephen D. Dingbaum/RA/\n                               Assistant Inspector General for Audits\n\n\nSUBJECT:                       AUDIT OF THE LICENSING SUPPORT NETWORK\n                               (OIG-04-A-16)\n\n\nAttached is the Office of the Inspector General=s audit report titled, Audit of the Licensing\nSupport Network.\n\nThe report reflects the results of our audit to determine if (1) the Licensing Support Network\n(LSN) meets its required operational capabilities, (2) NRC=s communication with parties\nregarding LSN has been adequate, and (3) LSN provides for the confidentiality, availability, and\nintegrity of the data stored in the system. Overall, we found that, in May 2004, NRC reached a\nlong-sought agreement with the Department of Energy concerning LSN document availability.\nAdditionally, the Atomic Safety and Licensing Board Panel (ASLBP) communications with the\nparties about LSN and the Yucca Mountain licensing process have been effective. However,\nimprovements are needed to strengthen LSN system security. Specifically, NRC needs to\nestablish security agreements with all LSN interconnected parties and bring the LSN security\nplan into compliance with Federal regulations.\n\nThis report makes two recommendations to ASLBP to strengthen security of the LSN system.\n\nComments provided at the June 24, 2004, exit conference, during subsequent discussions, and\nin two memos dated July 14 and 16, 2004, have been incorporated, as appropriate, in our final\nreport. Appendices D and E contain the Agency\xe2\x80\x99s comments in their entirety and our specific\nresponse to each comment.\n\nIf you have any questions or wish to discuss this report, please call me at 415-5915 or\nBeth Serepca at 415-5911.\n\nAttachment: As stated\n\ncc:     W. Dean, OEDO\n\x0cDistribution List\n\nB. John Garrick, Chairman, Advisory Committee on Nuclear Waste\nMario V. Bonaca, Chairman, Advisory Committee on Reactor Safeguards\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nWilliam N. Outlaw, Director of Communications\nDennis K. Rathbun, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nPatricia G. Norry, Deputy Executive Director for Management Services, OEDO\nWilliam F. Kane, Deputy Executive Director for Homeland Protection\n  and Preparedness, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research\n  and State Programs, OEDO\nEllis W. Merschoff, Deputy Executive Director for Reactor Programs, OEDO\nJacqueline E. Silber, Chief Information Officer\nMichael L. Springer, Director, Office of Administration\nFrank J. Congel, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nPaul E. Bird, Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nCarl J. Paperiello, Director, Office of Nuclear Regulatory Research\nPaul H. Lohaus, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\nOffice of Public Affairs, Region I\nOffice of Public Affairs, Region II\nOffice of Public Affairs, Region III\nOffice of Public Affairs, Region IV\n\x0c                                             Audit of the Licensing Support Network\n\n\n\n\nEXECUTIVE SUMMARY\n\n   BACKGROUND\n\n         The Nuclear Waste Policy Act of 1982, as amended, defines\n         United States policies governing the permanent disposal of\n         high-level radioactive waste. This act mandates that the\n         Department of Energy (DOE) has responsibility for constructing,\n         operating, and permanently closing a high-level nuclear waste\n         storage and disposal facility. This process requires DOE to\n         obtain authorization from the Nuclear Regulatory Commission\n         (NRC) to construct such a repository, as NRC is the agency that\n         regulates the civilian use of nuclear materials. Federal\n         regulations that dictate the rules for licensing Yucca Mountain\n         require NRC to develop the Licensing Support Network (LSN), a\n         Web-based search and retrieval system designed to allow\n         parties electronic access to all documents that could be used in\n         the hearing.\n\n   PURPOSE\n\n         The objectives of this audit were to determine if (1) the LSN\n         system meets its required operational capabilities, (2) NRC\xe2\x80\x99s\n         communication with parties regarding LSN has been adequate,\n         and (3) the system provides for the confidentiality, availability,\n         and integrity of the data stored in the system.\n\n   RESULTS IN BRIEF\n\n         In May 2004, NRC reached a long-sought agreement with DOE\n         concerning LSN document availability. Additionally, Atomic\n         Safety and Licensing Board Panel (ASLBP) communications\n         with the parties about LSN and the Yucca Mountain licensing\n         process have been effective. However, improvements are\n         needed to strengthen LSN system security. Specifically, NRC\n         needs to establish written agreements addressing security\n         responsibilities with parties whose servers are interconnected\n         with LSN and to bring the LSN security plan into compliance\n         with Federal regulations.\n\n\n\n\n                                   i\n\x0c                                                        Audit of the Licensing Support Network\n\n\n\n                   NRC and DOE Agree on an Approach for Making Documents\n                   Available via LSN\n\n                   In May 2004, NRC and DOE reached a long-sought agreement\n                   that allows parties access to DOE\xe2\x80\x99s discovery document\n                   collection in accordance with LSN Rule requirements\n                   concerning document availability. Through this agreement,\n                   DOE began providing NRC with electronic access to DOE\xe2\x80\x99s\n                   initial set of approximately 500,000 discovery documents before\n                   DOE certified this collection on June 30, 2004. Such access\n                   allowed NRC to begin processing and making these documents\n                   available in anticipation of a December 2004 license application\n                   submittal.\n\n                   ASLBP Communications With Parties Have Been Well\n                   Received\n\n                   ASLBP staff efforts to communicate with and accommodate the\n                   technical needs of the parties who will be using LSN have been\n                   well received by party representatives. Responses to technical\n                   needs have included allowing parties access for both viewing\n                   the universe of discovery documents and making their own\n                   document collections available through the system.\n\n                   NRC Lacks Agreements on Security With Interconnected\n                   Parties\n\n                   ASLBP lacks written agreements on security with parties whose\n                   servers are interconnected with LSN. Such agreements are\n                   required by Federal regulations between interconnecting system\n                   owners when one party is a Federal agency. NRC lacks such\n                   agreements1 because ASLBP does not view LSN as\n                   interconnected, even though it meets the Government\xe2\x80\x99s\n                   definition of such a system. By establishing written agreements\n                   addressing security responsibilities with parties whose servers\n                   are interconnected with LSN, NRC can strengthen LSN\xe2\x80\x99s\n                   protection against security breaches that could compromise\n                   LSN and the interconnected servers. A security breach could\n                   compromise the discovery data, which would affect both the\n                   Yucca Mountain license proceedings and public confidence in\n                   NRC.\n\n\n\n\n1\n    LSN is the only NRC owned interconnecting system.\n\n\n                                                  ii\n\x0c                                        Audit of the Licensing Support Network\n\n\n\n     LSN Security Plan Lacks Complete Documentation\n\n     NRC has conducted extensive reviews of LSN system security;\n     however, review results have not been documented in the\n     system security plan despite Federal requirements that this\n     occur. This information was not included in the security plan\n     because ASLBP was unaware of these particular requirements.\n     As a result, the security plan is not in compliance with Federal\n     regulations. Furthermore, by storing this information in a single\n     location, NRC can better ensure that security issues are\n     addressed and resolved.\n\nRECOMMENDATIONS\n\n     This report makes 2 recommendations to ASLBP to strengthen\n     security of the LSN system. A consolidated list of\n     recommendations appears on page 11 of this report.\n\nAGENCY COMMENTS\n\n     On July 14, 2004, the Executive Director for Operations\n     provided comments and on July 16, 2004, the Chief\n     Administrative Judge provided comments concerning the draft\n     audit report. We modified the report as we determined\n     appropriate in response to these comments. Appendices D and\n     E contain both NRC\xe2\x80\x99s comments and our specific response to\n     each comment.\n\n\n\n\n                             iii\n\x0c                          Audit of the Licensing Support Network\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               iv\n\x0c                                   Audit of the Licensing Support Network\n\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n       ASLBP   Atomic Safety and Licensing Board Panel\n       DOE     Department of Energy\n       LSN     Licensing Support Network\n       NIST    National Institute of Standards and Technology\n       NRC     Nuclear Regulatory Commission\n       OMB     Office of Management and Budget\n\n\n\n\n                          v\n\x0c                          Audit of the Licensing Support Network\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               vi\n\x0c                                                             Audit of the Licensing Support Network\n\n\n\n\nTABLE OF CONTENTS\n\n    EXECUTIVE SUMMARY.................................................................. i\n    ABBREVIATIONS AND ACRONYMS ............................................. v\n    I.      BACKGROUND ....................................................................1\n    II.     PURPOSE ............................................................................3\n    III.    FINDINGS.............................................................................3\n            A.       NRC AND DOE AGREE ON AN APPROACH FOR MAKING\n                     DOCUMENTS AVAILABLE VIA LSN ..................................4\n            B.       ASLBP COMMUNICATIONS W ITH PARTIES HAVE BEEN\n                     WELL RECEIVED ...........................................................6\n            C.       NRC LACKS AGREEMENTS ON SECURITY W ITH\n                     INTERCONNECTED PARTIES ...........................................7\n            D.       LSN SECURITY PLAN LACKS COMPLETE\n                     DOCUMENTATION .........................................................9\n\n\n    IV.     CONSOLIDATED LIST OF RECOMMENDATIONS...........11\n    V.      AGENCY COMMENTS.......................................................13\n    APPENDICES\n            A.       Scope and Methodology ..........................................15\n            B.       Diagram of Licensing Support Network Architecture 17\n            C.       Timeline of Significant LSN Events ..........................19\n            D.       ASLBP Comments and OIG Response....................21\n            E.       EDO Comments and OIG Response .......................25\n\n\n\n\n                                              vii\n\x0c                  Audit of the Licensing Support Network\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n       viii\n\x0c                                              Audit of the Licensing Support Network\n\n\n\nI. BACKGROUND\n\n       Nuclear Waste Policy Act\n\n       The Nuclear Waste Policy Act of 1982, as amended, (The Act)\n       defines United States policies governing the permanent disposal of\n       high-level radioactive waste. The Act mandates the Department of\n       Energy (DOE) has responsibility for constructing, operating, and\n       permanently closing a high-level nuclear waste storage and\n       disposal facility. This process requires DOE to obtain authorization\n       from the Nuclear Regulatory Commission (NRC) to construct such\n       a repository, as NRC is the agency that regulates the civilian use of\n       nuclear materials. The Act identifies Yucca Mountain, Nevada, as\n       the single candidate site for the high-level waste repository. The\n       Act, as amended, requires that once DOE submits a license\n       application, NRC will have 3 years to perform its review, conduct a\n       public hearing, and reach a decision as to whether DOE can\n       proceed with construction. The law allows for a fourth year for the\n       review process, if needed. Currently, DOE projects it will submit its\n       license application in December 2004.\n\n       Creation of the Licensing Support Network\n\n       Federal regulations that dictate procedures applicable to the\n       proceeding for issuance of a license for a high-level waste geologic\n       repository are contained in the Code of Federal Regulations, Title\n       10, Part 2, Subpart J, \xe2\x80\x9cProcedures Applicable to Proceedings for\n       the Issuance of Licenses for the Receipt of High-Level Radioactive\n       Waste at a Geologic Repository\xe2\x80\x9d (LSN Rule). These regulations\n       require NRC to develop the Licensing Support Network (LSN), a\n       Web-based search and retrieval system designed to allow parties\n       electronic access to all documents that could be used in the\n       hearing. One of LSN\xe2\x80\x99s main purposes is to lessen the discovery\n       period (i.e., time spent on the exchange of documents that may be\n       used as evidence in the NRC licensing proceeding), which occurs\n       at the start of the license application process. Usually, the\n       discovery process involves requests for physical access to\n       documents.\n\n       The LSN Rule also identifies NRC\xe2\x80\x99s role and the roles of the other\n       licensing process participants such as the LSN Administrator and\n       the LSN Advisory Review Panel. According to the LSN Rule, the\n       LSN Administrator is an NRC employee responsible for\n       coordinating access to and the integrity of all data available on\n       LSN. This individual also identifies technical and policy issues for\n       the LSN Advisory Review Panel and Commission consideration.\n\n\n                                  1\n\x0c                                                                 Audit of the Licensing Support Network\n\n\n\n                 The panel is a group of 17 representatives from interested parties2\n                 who are to provide advice to NRC on the technical requirements\n                 and functionality of LSN. The LSN Rule also:\n\n                 \xe2\x80\xa2   Describes the rules and guidelines for submitting documents to\n                     LSN,\n\n                 \xe2\x80\xa2   Defines the parties and their responsibilities for establishing\n                     their own data repository servers and providing their information\n                     to LSN,\n\n                 \xe2\x80\xa2   Establishes that once a party has submitted all documents to\n                     NRC, a party representative must certify to NRC that its\n                     collection is complete and electronically available, and\n\n                 \xe2\x80\xa2   Requires DOE to initially certify its document collection at least\n                     6 months before submitting its license application and update\n                     the certification when submitting its license application.\n\n                 System Capability\n\n                 LSN is a Web-based system that accesses other party-owned\n                 servers. Once each party establishes a server to house its\n                 documents, LSN connects with these servers, scans the\n                 information contained within these servers, and indexes the\n                 documents. (See Appendix B for a diagram of LSN architecture.)\n                 Indexing is a process that consists of searching the documents to\n                 identify key words and themes and then creating a store of these\n                 key words and themes with reference to the original data source for\n                 easy search and retrieval.\n\n                 NRC\xe2\x80\x99s Atomic Safety and Licensing Board Panel (ASLBP)\n                 manages LSN development and is responsible for system security\n                 and functionality3. ASLBP conducts hearings for the Commission\n                 and performs other regulatory functions as the Commission\n                 authorizes. It will be ASLBP\xe2\x80\x99s role to act as the judge during the\n                 Yucca Mountain license proceeding. To date, NRC has spent over\n                 $5 million to make the system capable and ready to receive\n                 discovery documents. The LSN business case states that the\n                 system will operate through fiscal year 2008, which will allow for its\n                 use throughout the licensing process.\n\n\n2\n  10 CFR \xc2\xa7 2.1001 states that for the purpose of the Yucca Mountain proceedings, party means DOE, the\nNRC staff, the state of Nevada, any affected unit of local government, and any affected Indian Tribe.\n3\n  The LSN system was developed under contract by AT&T. Network security is provided by the contractor,\nincluding firewall protection.\n\n\n                                                  2\n\x0c                                                                Audit of the Licensing Support Network\n\n\n\n            While LSN is capable of housing 4 million documents (40 million\n            pages), as of May 2004, 140,455 documents had been loaded and\n            indexed. Figure 1 contains the projected percentage of documents\n            expected from each party.\n\n\n     Figure 1.\n\n\n                             Expected Document Collection\n                              100\n                               80\n                                                  95.08\n             Percentage of     60\n              Collection       40\n                               20      3.52                      0.95       0.45\n                                 0\n                                      NRC         DOE      State of        Other\n                                                           Nevada         Parties\n\n                                                      Parties\n\n\n      * Sizes of the document collections are predicted at: NRC \xe2\x80\x93 37,000 documents; DOE \xe2\x80\x93\n      1,000,000 documents; State \xe2\x80\x93 10,000 documents; other parties \xe2\x80\x93 4,700 documents\n\n\n\n\nII. PURPOSE\n\n            The objectives of this audit were to determine if (1) the LSN system\n            meets its required operational capabilities, (2) NRC\xe2\x80\x99s\n            communication with parties regarding LSN has been adequate, and\n            (3) the system provides for the confidentiality, availability, and\n            integrity of the data stored in the system.\n\n\nIII. FINDINGS\n\n            In May 2004, NRC reached a long-sought agreement with DOE\n            concerning LSN document availability. Additionally, ASLBP\n            communications with the parties about LSN and the Yucca\n            Mountain licensing process have been effective. However,\n            improvements are needed to strengthen LSN system security.\n            Specifically, NRC needs to establish written agreements\n            addressing security responsibilities with parties whose servers are\n            interconnected with LSN and to bring the LSN security plan into\n            compliance with Federal regulations.\n\n\n                                              3\n\x0c                                              Audit of the Licensing Support Network\n\n\n\n\nA. NRC AND DOE AGREE ON AN APPROACH FOR MAKING DOE\n   DOCUMENTS AVAILABLE VIA LSN\n\n       In May 2004, NRC and DOE reached a long-sought agreement that\n       allows parties access to DOE\xe2\x80\x99s discovery document collection in\n       accordance with LSN Rule requirements concerning document\n       availability. Through this agreement, DOE began providing NRC\n       with electronic access to DOE\xe2\x80\x99s initial set of approximately 500,000\n       discovery documents before DOE certified this collection on June\n       30, 2004. Such access allowed NRC to begin processing and\n       making these documents available in anticipation of a December\n       2004 license application submittal.\n\n       Document Availability Requirements\n\n       LSN Rule requirements are intended to facilitate access to\n       discovery documents before DOE submits a license application.\n       DOE is required to certify and make its discovery documents\n       electronically available at least 6 months before submitting the\n       license application and must update this certification at application\n       submittal time. NRC must certify and make its own discovery\n       documents electronically available within 30 days after DOE\xe2\x80\x99s initial\n       certification, and other parties must certify and make their material\n       available within 90 days after DOE\xe2\x80\x99s initial certification (see Figure\n       2). The LSN Rule states that certification occurs when a\n       responsible party official formally asserts to NRC that its discovery\n       document collection has been identified and made electronically\n       available.\n\n\n\n\n                                  4\n\x0c                                            Audit of the Licensing Support Network\n\n\n\n\nFigure 2.\n\n\n\n\n      NRC and DOE Concerns Over Availability\n\n      The issue of timely document availability has been a point of\n      contention for NRC and DOE in past years and, until recently, the\n      two agencies had not been able to negotiate a solution to\n      accommodate LSN processing time requirements. LSN can\n      process and make documents available at a rate of approximately\n      150,000 documents per week. Given this processing rate, NRC\n      requested that parties provide a significant percentage of their\n      documentary material before certification in order to be indexed and\n      loaded for availability in accordance with LSN Rule requirements.\n      (See Appendix C for a timeline reflecting significant\n      communications concerning LSN document availability.)\n\n      Prior to the recent agreement, DOE had not agreed to\n      accommodate this request because DOE was concerned it would\n      lose control over its collection and that its documents would\n      become available prior to certification.\n\n\n\n\n                                5\n\x0c                                                                     Audit of the Licensing Support Network\n\n\n\n\n                  LSN Rule Revision and New LSN User Guidance Support NRC-\n                  DOE Agreement\n\n                  The recent NRC-DOE agreement is supported by (1) a revision to\n                  the LSN Rule concerning supplementation of initial document\n                  collections and (2) an ASLBP update of LSN user guidance with a\n                  section concerning pre-certification submission of documents to\n                  NRC for processing. The LSN Rule revision requires DOE and\n                  other parties to supplement their initial document collections with\n                  documents produced after certification up until the close of the\n                  discovery period4. ASLBP\xe2\x80\x99s new LSN user guidance (LSN\n                  Guideline Number 23, \xe2\x80\x9cAccess Control Prior to Initial Certification\xe2\x80\x9d)\n                  provides a strategy for parties to submit documents to LSN for pre-\n                  certification processing. The guidance explains that these\n                  documents need not be made available to the public or another\n                  party until the owner party provides initial certification of its\n                  document collection.\n\n\n    B. ASLBP COMMUNICATIONS WITH PARTIES HAVE BEEN WELL\n       RECEIVED\n\n                  ASLBP staff efforts to communicate with and accommodate the\n                  technical needs of the parties who will be using LSN have been\n                  well received by party representatives. Responses to technical\n                  needs have included allowing parties access for both viewing the\n                  universe of discovery documents and making their own document\n                  collections available through the system.\n\n                  According to party representatives, ASLBP staff communicated\n                  effectively during numerous LSN Advisory Review Panel meetings\n                  held in Nevada during the LSN development stage. These\n                  meetings provided a forum in which party representatives could\n                  freely express concerns about the system. One representative\n                  stated these meetings allowed smaller parties to feel equal to large\n                  government agencies because all viewpoints expressed during\n                  these meetings received careful consideration. Another\n                  representative stated these meetings provided party\n                  representatives with valuable information on the licensing process,\n                  which they could then convey to their communities. A different\n                  party representative stated ASLBP staff consistently provided quick\n\n4\n Code of Federal Regulations, Title 10, Part 2, Appendix D, \xe2\x80\x9cSchedule for the Proceeding on Consideration\nof Construction Authorization for a High-Level Waste Geologic Repository,\xe2\x80\x9d anticipates the close of\ndiscovery to occur near the time of the second pre-hearing conference held to finalize issues for hearing and\nset schedule for prefiled testimony and hearing.\n\n\n                                                     6\n\x0c                                                         Audit of the Licensing Support Network\n\n\n\n                   and thorough responses to their questions. One party\n                   representative, experienced in public-government interactions, said\n                   these meetings provided the best interactions with government\n                   entities he ever experienced.\n\n                   ASLBP staff have also provided technical support to the parties,\n                   although this type of assistance is not required by Federal\n                   regulations. Party representatives reported ASLBP addressed their\n                   system issues fairly and completely. These individuals stated the\n                   guidance they received helped them establish their servers. Some\n                   party representatives received hands-on training on LSN from\n                   ASLBP staff.\n\n                   ASLBP\xe2\x80\x99s success in communicating with the parties has generated\n                   a positive view toward the agency and provides an example of\n                   NRC\xe2\x80\x99s efforts to strengthen public confidence.\n\n\n      C. NRC LACKS AGREEMENTS ON SECURITY WITH INTERCONNECTED\n         PARTIES\n\n                   ASLBP lacks written agreements addressing security\n                   responsibilities with parties whose servers are interconnected with\n                   LSN. Such agreements are required by Federal regulations\n                   between interconnecting system owners when one party is a\n                   Federal agency. NRC lacks such agreements5 because ASLBP\n                   does not view LSN as interconnected, even though it meets the\n                   Government\xe2\x80\x99s definition of such a system. By establishing written\n                   agreements addressing security responsibilities with parties whose\n                   servers are interconnected with LSN, NRC can strengthen LSN\xe2\x80\x99s\n                   protection against security breaches that could compromise LSN\n                   and the interconnected servers. A security breach could\n                   compromise the discovery data, which would affect both the Yucca\n                   Mountain license proceedings and public confidence in NRC.\n\n                   Interconnected Parties Should Agree on Security Procedures\n                   and Controls\n\n                   Office of Management and Budget (OMB) Circular No. A-130\n                   Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information\n                   Resources,\xe2\x80\x9d establishes a minimum set of controls that Federal\n                   agencies must include in their automated information security\n                   programs. OMB requires that before an agency allows its systems\n                   to be connected to other entities\xe2\x80\x99 systems, it must obtain written\n                   management authorization from the other system owners agreeing\n\n5\n    LSN is the only NRC owned interconnecting system.\n\n\n                                                    7\n\x0c                                       Audit of the Licensing Support Network\n\n\n\nto implement measures to protect the integrity of the\ninterconnections. This written agreement \xe2\x80\x93 which can be in the\nform of a memorandum of understanding between the agency and\neach interconnected entity \xe2\x80\x93 should define the rules of behavior\nand controls that must be maintained for the system\ninterconnections, and should be included in the Federal agency\xe2\x80\x99s\nsystem security plan.\n\nThe National Institute of Standards and Technology (NIST) defines\ninterconnection as the direct connection of two or more information\ntechnology systems for the purpose of sharing data and other\ninformation resources. NIST identifies basic components of a\nsystem interconnection: two information technology systems and\nthe mechanism by which they are joined (the \xe2\x80\x9cpipe\xe2\x80\x9d through which\ndata is made available, exchanged, or passed one-way only).\n\nLSN Has No Requirements for Interconnected Servers\n\nAlthough LSN meets NIST\xe2\x80\x99s definition of an interconnected system,\nNRC lacks written agreements with interconnected LSN parties\nagreeing to protect the integrity of the interconnections. LSN\ncontains numerous security features intended to protect the\nintegrity of the system data, such as virus scanning and audit trails;\nhowever, there are no security requirements for interconnected\nservers. While such security requirements are not required for\nprivate sector interconnected servers, as a matter of prudent best\npractices, written agreements addressing security responsibilities\nshould nonetheless be obtained.\n\nNRC Does Not View LSN as an Interconnected System\n\nNRC never pursued written agreements with the other parties\nbecause ASLBP views the system as independent and not\nconnected with other systems. An ASLBP member stated that LSN\ndoes not connect to the servers, but that it indexes the information\non the server. The LSN security plan reflects this view, stating that\nLSN is an intermediary between public Web sites and LSN-specific\nsites and users. Thus, according to the plan, there is no\ninterconnectivity between LSN and any other system.\n\nDuring the course of this audit, OIG conveyed to ASLBP officials\nthe need for a memorandum of understanding. ASLBP officials\nagreed and subsequent to the meeting developed a draft document\nfor review by the parties and issued a final version on May 27,\n2004.\n\n\n\n\n                           8\n\x0c                                              Audit of the Licensing Support Network\n\n\n\n\n       Agreement Would Help To Mitigate Risk\n\n       By establishing agreements on security with the interconnected\n       server parties, NRC will strengthen LSN\xe2\x80\x99s protection against the\n       risks posed by interconnectivity. For example, if an interconnection\n       is not properly designed, security failures could compromise the\n       connected systems and the data that they store, process, or\n       transmit. Although LSN has not faced a security compromise, if\n       LSN data were to become compromised this could affect both the\n       license proceedings and the public confidence in the agency. The\n       potential for compromise is underscored by the fact that, in most\n       cases, the participating organizations have little or no control over\n       the operation and management of the other party\xe2\x80\x99s system. It is\n       critical NRC establish written agreements with parties whose\n       servers are interconnected with LSN regarding the management,\n       operation, and use of the interconnection.\n\n       RECOMMENDATION\n\n       OIG recommends that the ASLBP:\n\n       1. Establish written agreements with each interconnected party\n          detailing minimum security responsibilities for their\n          interconnected system.\n\n\nD. LSN SECURITY PLAN LACKS COMPLETE DOCUMENTATION\n\n       NRC has conducted extensive reviews of LSN system security;\n       however, review results have not been documented in the system\n       security plan despite Federal requirements that this occur. This\n       information was not included in the security plan because ASLBP\n       was unaware of these particular requirements. As a result, the\n       security plan is not in compliance with Federal regulations.\n       Furthermore, by storing this information in a single location, NRC\n       can better ensure that security issues are addressed and resolved.\n\n       According to OMB Circular No. A-130, Federal agency system\n       security plans must be consistent with guidance issued by NIST.\n       System security plans document the management, technical, and\n       operational controls for protecting Federal automated information\n       systems. NIST Special Publication 800-18, Guide for Developing\n       Security Plans for Information Technology Systems, provides\n       guidance for Federal agencies to follow when developing these\n       plans. According to OMB and NIST, agencies must:\n\n\n\n                                  9\n\x0c                                                                    Audit of the Licensing Support Network\n\n\n\n                 \xe2\x80\xa2    Conduct a risk assessment as part of a risk-based approach to\n                      determining adequate, cost-effective security for a system,\n\n                 \xe2\x80\xa2    Perform, at least every 3 years, an independent review of the\n                      security controls for each major application,\n\n                 \xe2\x80\xa2    Include in each system\xe2\x80\x99s security plan information about the last\n                      independent review and any findings or recommendations from\n                      the review, and\n\n                 \xe2\x80\xa2    Place responsibility for ensuring system security and updating\n                      the system security plan on a management official6 with\n                      knowledge of and responsibility for the system.\n\n                 ASLBP has conducted extensive reviews of LSN system security;\n                 however, review findings and improvements made to LSN security\n                 have not been documented in the system security plan. These\n                 review efforts have included both NRC-sponsored risk\n                 assessments and an independent review by the National Security\n                 Agency to provide verification that existing controls provide a level\n                 of protection commensurate to the needs of the system. The\n                 ASLBP staff working on LSN have resolved the issues from both\n                 the in-house and independent reviews, yet NRC\xe2\x80\x99s LSN security\n                 plan does not reflect these efforts because ASLBP was unaware\n                 that this was required.\n\n                 By documenting the results of NRC\xe2\x80\x99s risk assessments and security\n                 reviews in the LSN security plan, NRC will comply with Federal\n                 requirements and better ensure that security issues are addressed\n                 and resolved.\n\n                 RECOMMENDATION\n\n                 OIG recommends that the ASLBP:\n\n                 2. Update the security plan to include information required by OMB\n                    Circular No. A-130.\n\n\n\n\n6\n For the LSN system this responsibility is placed with the LSN project officer who oversees the LSN\ncontract.\n\n\n                                                   10\n\x0c                                             Audit of the Licensing Support Network\n\n\n\nIV. CONSOLIDATED LIST OF RECOMMENDATIONS\n\n        OIG recommends that the ASLBP:\n\n        1. Establish written agreements with each interconnected party\n           detailing minimum security responsibilities for their\n           interconnected system.\n\n        2. Update the security plan to include information required by OMB\n           Circular No. A-130.\n\n\n\n\n                                 11\n\x0c                    Audit of the Licensing Support Network\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n       12\n\x0c                                            Audit of the Licensing Support Network\n\n\n\nV. AGENCY COMMENTS\n\n     On July 14, 2004, the Executive Director of Operations provided\n     comments and on July 16, 2004, the Chief Administrative Judge\n     provided comments concerning the draft audit report. We modified the\n     report as we determined appropriate in response to these comments.\n     Appendices D and E contain both NRC\xe2\x80\x99s comments and our specific\n     response to each comment.\n\n\n\n\n                                 13\n\x0c                    Audit of the Licensing Support Network\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n       14\n\x0c                                                Audit of the Licensing Support Network\n\n                                                                        Appendix A\nSCOPE AND METHODOLOGY\n\n       This audit reviewed the Licensing Support Network (LSN) to (1)\n       assess if the LSN system meets its required operational\n       capabilities, (2) determine if the Nuclear Regulatory Commission\xe2\x80\x99s\n       (NRC) communication with parties to the Yucca Mountain licensing\n       proceedings has been adequate, and (3) determine if LSN provides\n       for the confidentiality, availability, and integrity of the data stored in\n       the system.\n\n       The Office of the Inspector General audit team reviewed relevant\n       criteria, including the Code of Federal Regulations, Title 10, Part 2,\n       Subpart J, \xe2\x80\x9cProcedures Applicable to Proceedings for the Issuance\n       of Licenses for the Receipt of High-Level Radioactive Waste at a\n       Geologic Repository\xe2\x80\x9d (LSN Rule); Office of Management and\n       Budget Circular No. A-130 Appendix III, \xe2\x80\x9cSecurity of Federal\n       Automated Information Resources\xe2\x80\x9d; General Accounting Office\n       \xe2\x80\x9cFederal Information System Controls Audit Manual\xe2\x80\x9d; and National\n       Institute of Standards and Technology guidance. The audit team\n       also reviewed LSN business case and NRC system development\n       documents to gain a comprehensive understanding of the system.\n\n       Auditors interviewed Atomic Safety and Licensing Board Panel staff\n       to better understand the activities and actions taken concerning\n       LSN, an Office of the Chief Information Officer staff member to\n       determine compliance with system security requirements, and\n       Office of the General Counsel staff to better understand NRC\xe2\x80\x99s role\n       in the Yucca Mountain licensing process. Interviews were\n       conducted with representatives from interested parties, including\n       the Department of Energy; State of Nevada; City of Las Vegas;\n       Clark, Churchill, Eureka, Lander, Lincoln, Mineral, and White Pine\n       counties; and the Nevada Nuclear Waste Task Force.\n\n       This work was conducted from November 2003 through March\n       2004 in accordance with Generally Accepted Government Auditing\n       Standards. The work was conducted by Elizabeth Bowlin, Auditor;\n       Rebecca Underhill, Management Analyst; and Beth Serepca, Team\n       Leader.\n\n\n\n\n                                   15\n\x0c                            Audit of the Licensing Support Network\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              16\n\x0c                                             Audit of the Licensing Support Network\n\n                                                                     Appendix B\n\n\n\nDIAGRAM OF LICENSING SUPPORT NETWORK ARCHITECTURE\n\n\n\n\n                                            Other\n       DOE       NRC            Nevada      Parties\n       Server    Server         Server      Servers\n\n\n\n\n                Licensing Support Network\n                       www.lsnnet.gov\n\n\n\n\n   Public                                      Party\n   Access                                      Access\n\n\n\n\n                                 17\n\x0c                             Audit of the Licensing Support Network\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n                18\n\x0c                                                      Audit of the Licensing Support Network\n\n                                                                              Appendix C\n\nTIMELINE OF SIGNIFICANT LSN EVENTS\n\nDATE            ACTIVITY\n\nJune 2001       ASLBP issues LSN Guideline Number 8, \xe2\x80\x9cSchedule of Submission of\n                Documentary Material.\xe2\x80\x9d This guideline discusses the need for\n                parties to make a \xe2\x80\x9csignificant percentage\xe2\x80\x9d of their documentary\n                material available before certifying their document collections are\n                complete.\n\nAugust 2001     LSN Semiannual Report to the Commission states once LSN is\n                operational, an LSN-related dispute potentially could be raised that\n                would require consideration by a Pre-License Application Presiding\n                Officer.\n\nAugust 2001     DOE estimates its document collection will comprise 900,000\n                documents.\n\nOctober 2001    LSN system becomes operational.\n\nJune 2002       DOE projects it will submit its license application for the Yucca\n                Mountain High-Level Waste Repository in December 2004,\n                extending the date from March 2002. Given this application date of\n                December 2004, DOE projects it will certify the completeness of its\n                document collection in June 2004.\n\nSeptember 2002 LSN Semiannual Report to the Commission describes DOE\xe2\x80\x99s\n               projected schedule. See June 2002 item above.\n\nFebruary 2003   LSN Semiannual Report to the Commission states that in November\n                2002, DOE issued a solicitation for a contractor to organize and\n                prepare DOE documentary material, but has not indicated the date it\n                expects to start making this material available to LSN.\n\nApril 2003      DOE revises its document collection estimate to 3- to 4-million\n                documents. The documents are expected to comprise between\n                27.5- and 36.5-million pages.\n\nApril 2003      ASLBP responds in writing to DOE\xe2\x80\x99s new estimate of its document\n                collection. ASLBP predicts it will take LSN software 40 weeks to\n                index 4 million documents.\n\nJune 2003       DOE offers to index its document collection prior to certification.\n                ASLBP declines, citing document integrity.\n\n\n\n\n                                         19\n\x0c                                                        Audit of the Licensing Support Network\n\n                                                                                Appendix C\n\nDATE             ACTIVITY\n\nAugust 2003      LSN Semiannual Report to the Commission states ASLBP advised\n                 DOE in a letter dated April 29, 2003, of their understanding that\n                 documents are not \xe2\x80\x9cavailable\xe2\x80\x9d via LSN until the indexing process is\n                 complete.\n\nSeptember 2003 ASLBP upgrades the capacity of LSN to visit, identify, and retrieve\n               newly available materials from 100,000 to 150,000 documents per\n               week.\n\nFebruary 2004    ASLBP corresponds in writing with DOE to negotiate a strategy to\n                 make the DOE document collection available to the LSN\n                 Administrator before certification. According to ASLBP, this could\n                 reduce the impact of LSN processing time on the licensing\n                 proceedings.\n\nMarch 2004       ASLBP and DOE meet to discuss a strategy to make the DOE\n                 document collection available to the LSN Administrator before\n                 certification to reduce the impact of LSN processing time on the\n                 licensing proceedings.\n\nApril 2004       ASLBP issues LSN Guideline Number 23, \xe2\x80\x9cAccess Control Prior to\n                 Initial Certification,\xe2\x80\x9d to inform parties of the steps required to submit\n                 documents to the LSN Administrator for processing prior to\n                 certification. This guidance specifically explains that these\n                 documents would not be available to other parties for case\n                 preparation until after certification.\n\nApril 2004       10 CFR, Part 2, Subpart J (the LSN rule) is in final draft stage of\n                 revision. Amendments pertain to LSN participants\xe2\x80\x99 continuing\n                 obligation to update their documentary material after initial\n                 certification and other issues.\n\nMay 2004         DOE revises its document collection estimate to 1 million documents.\n                 The documents are expected to comprise 12 million pages.\n\nMay 2004         ASLBP and DOE reach agreement concerning document availability\n                 for processing by LSN. DOE agrees to provide documents to NRC in\n                 accordance with ASLBP guidance issued in April 2004.\n\nJune 2004        DOE submits initial certification of its document collection.\n\nJuly 2004        The effective date of the revised final LSN Rule is July 14, 2004.\n\n\n\n\n                                           20\n\x0c                              Audit of the Licensing Support Network\n\n                                                      Appendix D\nASLBP COMMENTS AND OIG RESPONSE\n\n\n\n\n                       21\n\x0c     Audit of the Licensing Support Network\n\n                             Appendix D\n\n\n\n\n22\n\x0c                                                   Audit of the Licensing Support Network\n\n                                                                           Appendix D\nOIG\xe2\x80\x99s Analysis of ASLBP\xe2\x80\x99s Comments\n\nWhile LSN is similar to FirstGov.gov in respect that they are both web portals,\nLSN is unique from this other system. LSN not only connects independent\ndocument collection servers, it retains information from those collection servers\non its server. In addition, LSN deposits a unique identifier on every document\ncontained within each independent document server. This transfer of information\nbetween independent servers increases the vulnerability to the LSN system. We\ncontacted a NIST official who verified that LSN met the requirements of OMB\nCircular A-130 regarding interconnecting systems. Therefore this finding is\nunchanged.\n\n\n\n\n                                       23\n\x0c                            Audit of the Licensing Support Network\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              24\n\x0c                                Audit of the Licensing Support Network\n\n                                                        Appendix E\nEDO COMMENTS AND OIG RESPONSE\n\n\n\n\n                       25\n\x0c     Audit of the Licensing Support Network\n\n                             Appendix E\n\n\n\n\n26\n\x0c     Audit of the Licensing Support Network\n\n                             Appendix E\n\n\n\n\n27\n\x0c                                                   Audit of the Licensing Support Network\n\n                                                                           Appendix E\nOIG\xe2\x80\x99s Analysis of the EDO\xe2\x80\x99s Comments\n\nBelow are the agency\xe2\x80\x99s comments to the draft audit report and OIG\xe2\x80\x99s response to\neach comment. Agency\xe2\x80\x99s comments appear in bold italics.\n\n   1. The first sentence of the paragraph entitled \xe2\x80\x9cCreation of the\n      Licensing Support Network\xe2\x80\x9d (LSN) (page 1), incorrectly indicates that\n      the Federal regulations that dictate the \xe2\x80\x9crules for licensing\xe2\x80\x9d Yucca\n      Mountain are contained in 10 CFR Part 2, Subpart J. Part 2,\n      Subpart J defines procedures applicable to proceedings for issuance\n      of licenses for receipt of high-level radioactive waste at a geologic\n      repository. We suggest changing this sentence to read: \xe2\x80\x9cFederal\n      regulations that dictate the rules for licensing Yucca Mountain\n      procedures applicable to the proceeding for issuance of a license for\n      a high-level waste geologic repository are contained in...Part 2,\n      Subpart J.\xe2\x80\x9d\n\n      We modified the report wording to correctly characterize Subpart J.\n\n   2. Section A, NRC and DOE Agree on an Approach for Making DOE\n      Documents Available via LSN (page 5).\n      This section needs to be updated to reflect DOE\xe2\x80\x99s certification to the\n      NRC on June 30, 2004, of the public availability through the Internet\n      of documents relative to Yucca, as well as to reflect DOE\xe2\x80\x99s provision\n      of documents prior to this certification (see DOE\xe2\x80\x99s press release at\n      http://www.doe.gov/engine/content.do?PUBLIC_ID=\n      16120&BT_CODE=PR_PRESSRELEASES&TT_CODE=PRESSRELEA\n      SE).\n\n      We modified the report wording to reflect DOE\xe2\x80\x99s certification to the NRC.\n\n   3. The first paragraph under the section entitled \xe2\x80\x9cFuture Issues\xe2\x80\x9d\n      (page 7), is a discussion of estimates of the size of DOE\xe2\x80\x99s document\n      collection. OIG may wish to update this information to reflect the\n      estimates provided in the DOE press release issued on June 30, 2004\n      (see comment #2 for address).\n\n      We deleted this paragraph from the report.\n\n   4. Section C, NRC Lacks Agreements on Security With Interconnected\n      Parties.\n      The first sentence (page 9) should be clarified by revising it to read:\n      \xe2\x80\x9cASLBP lacks written agreements on addressing security\n      responsibilities with parties whose servers are interconnected with\n      LSN.\xe2\x80\x9d\n\n      We modified the report wording to reflect the agency\xe2\x80\x99s comment.\n\n\n                                      28\n\x0c                                                 Audit of the Licensing Support Network\n\n                                                                         Appendix E\n\n5. We do not believe that a plain reading of the information-sharing\n   provision of Office of Management and Budget (OMB) Circular A-130,\n   Management of Federal Information Resources (Appendix III,\n   section f)) serves as the legal regulatory reference source for\n   \xe2\x80\x9cFederal regulations\xe2\x80\x9d in the context of mandating a written\n   agreement. The circular does not use obligatory terms (\xe2\x80\x9cshall\xe2\x80\x9d or\n   \xe2\x80\x9cmust\xe2\x80\x9d). The draft audit report\xe2\x80\x99s reference to \xe2\x80\x9cFederal regulations\xe2\x80\x9d\n   may be appropriately attributed to National Institute of Standards\n   and Technology (NIST) Special Publication Number 800 -18, Guide\n   for Developing Security Plans for Information Technology Systems.\n   However, it should not be assumed that this publication is \xe2\x80\x9cFederal\n   regulation\xe2\x80\x9d or requires complete compliance with the published\n   guidance. The publication\xe2\x80\x99s introduction states, \xe2\x80\x9cThis document\n   provides a guideline for federal agencies to follow...\xe2\x80\x9d (emphasis\n   added), and uses \xe2\x80\x9cshould\xe2\x80\x9d throughout. Additionally, the Department\n   of Justice Memorandum to Federal Chief Information Officers dated\n   December 30, 1998, regarding the NIST security planning guide,\n   refers to NIST Special Publication 800 -18 as a useful \xe2\x80\x9cguide\xe2\x80\x9d that\n   Federal agencies \xe2\x80\x9ccan\xe2\x80\x9d use. Moreover, NIST Special Publication\n   Number 800-47, Security Guide for Interconnected Information\n   Technology Systems, expressly notes that it is not a guideline under\n   NIST\xe2\x80\x99s statutory authority and serves as recommended guidance.\n   (emphasis added). Therefore, we recommend the following changes\n   to the report:\n\n      a. In the first paragraph of section C (page 9), we recommend\n         changing the reference in the second sentence, \xe2\x80\x9care required\n         by Federal regulations,\xe2\x80\x9d to be more accurate, e.g., change to\n         \xe2\x80\x9care recommended by a National Institute of Standards and\n         Technology (NIST) publication\xe2\x80\x9d or \xe2\x80\x9care recommended by\n         Federal guidelines.\xe2\x80\x9d\n\n   EDO officials believe that section C is only recommended guidelines and\n   not Federal requirements. OMB Circular A-130 is in fact a Federal\n   regulation as noted by Circular A-1. This Circular states, \xe2\x80\x9cThe provisions\n   of any Circular or Bulletin, except as otherwise specifically provided in any\n   given Circular or Bulletin, shall be observed by every such department or\n   establishment insofar as the subject matter pertains to the affairs of such\n   department or establishment.\xe2\x80\x9d Therefore the report wording remains\n   unchanged.\n\n      b. In the paragraph of section C entitled \xe2\x80\x9cLSN Has No\n         Requirements for Interconnected Servers\xe2\x80\x9d (page 10), we\n         recommend adding the following sentence at the end of the\n         paragraph: \xe2\x80\x9cWhile such security requirements are not\n\n\n                                     29\n\x0c                                               Audit of the Licensing Support Network\n\n                                                                       Appendix E\n         required for private sector interconnected servers, as a matter\n         of prudent best practices, written agreements addressing\n         security responsibilities should nonetheless be obtained.\xe2\x80\x9d\n\n   We included the agency\xe2\x80\x99s recommended sentence.\n\n      c. In the first paragraph of section D (page 11), we recommend\n         that the third sentence be changed to read: \xe2\x80\x9cAs a result, the\n         security plan is not in compliance with Federal regulations\n         guidance.\xe2\x80\x9d\n\n   See OIG response for comment a.\n\n      d. Change the sentence just prior to recommendation 2 in\n         section D (page 13) to read: \xe2\x80\x9cBy documenting the results of\n         NRC\xe2\x80\x99s risk assessments and security reviews in the LSN\n         security plan, NRC will comply conform with Federal\n         requirements guidelines...\xe2\x80\x9d\n\n   See OIG response for comment a.\n\n6. The diagram of the LSN architecture in Appendix B of the report\n   (page 17) contains a block \xe2\x80\x9cAccess to LSN Documents,\xe2\x80\x9d which is not\n   connected to the rest of the diagram. We suggest providing an\n   appropriate connection or deleting the block.\n\n   We modified the diagram to more clearly delineate access to LSN.\n\n7. OIG may want to consider including the recent DOE certification on\n   June 30, 2004 to the timeline of significant LSN events in Appendix C\n   of the report (pages 18-19).\n\n   Added row to Appendix C to reflect DOE certification.\n\n\n\n\n                                   30\n\x0c'